research-article

Understanding Integer Overflow in C/C++

Authors:

Vikram AdveAuthors Info & Claims

ACM Transactions on Software Engineering and Methodology (TOSEM), Volume 25, Issue 1

Article No.: 2, Pages 1 - 29

https://doi.org/10.1145/2743019

Published: 02 December 2015 Publication History

Abstract

Integer overflow bugs in C and C++ programs are difficult to track down and may lead to fatal errors or exploitable vulnerabilities. Although a number of tools for finding these bugs exist, the situation is complicated because not all overflows are bugs. Better tools need to be constructed, but a thorough understanding of the issues behind these errors does not yet exist. We developed IOC, a dynamic checking tool for integer overflows, and used it to conduct the first detailed empirical study of the prevalence and patterns of occurrence of integer overflows in C and C++ code. Our results show that intentional uses of wraparound behaviors are more common than is widely believed; for example, there are over 200 distinct locations in the SPEC CINT2000 benchmarks where overflow occurs. Although many overflows are intentional, a large number of accidental overflows also occur. Orthogonal to programmers' intent, overflows are found in both well-defined and undefined flavors. Applications executing undefined operations can be, and have been, broken by improvements in compiler optimizations. Looking beyond SPEC, we found and reported undefined integer overflows in SQLite, PostgreSQL, SafeInt, GNU MPC and GMP, Firefox, LLVM, Python, BIND, and OpenSSL; many of these have since been fixed.

References

[1]

D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song. 2007. RICH: Automatically protecting against integer-based vulnerabilities. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS).

[2]

CERT. 2006. IntegerLib, a Secure Integer Library. (2006). http://www.cert.org/secure-coding/IntegerLib.zip.

[3]

P. Chen, Y. Wang, Z. Xin, B. Mao, and L. Xie. 2009. BRICK: A binary tool for run-time detecting and locating integer-based vulnerability. In Proceedings of the 4th International Conference on Availability, Reliability and Security. 208--215.

[4]

S. Christey and R. A. Martin. 2007. Vulnerability type distributions in CVE. Tech. report. MITRE Corporation. May. http://cwe.mitre.org/documents/vuln-trends.html.

[5]

S. Christey, R. A. Martin, M. Brown, A. Paller, and D. Kirby. 2011. 2011 CWE/SANS top 25 most dangerous software errors. Tech. report. MITRE Corporation. September. http://cwe.mitre.org.top25.

[6]

Clang. 2011. Clang: A C language family frontend for LLVM. http://clang.llvm.org. (Last accessed Sept. 2011).

[7]

R. B. Dannenberg, W. Dormann, D. Keaton, R. C. Seacord, D. Svoboda, A. Volkovitsky, T. Wilson, and T. Plum. 2010. As-if infinitely ranged integer model. In Proceedings of the 21st International Symposium on Software Reliability Engineering (ISSRE'10). 91--100.

Digital Library

[8]

W. Dietz, P. Li, J. Regehr, and V. Adve. 2012. Understanding integer overflow in C/C++. In Proceedings of the International Conference on Software Engineering (ICSE'12). IEEE Press, 760--770.

Digital Library

[9]

D. Hodges. 2008. Why do Pinky and Inky have different behaviors when Pac-Man is facing up? (Dec. 2008). http://donhodges.com/pacman_pinky_explanation.htm. (Last accessed Sept. 2011).

[10]

Intel. 2013. Intel VTune amplifier XE 2013. (2013). http://software.intel.com/en-us/intel-vtune-amplifier-xe

[11]

C. Lattner and V. Adve. 2004. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the 2004 International Symposium on Code Generation and Optimization (CGO'04).

Digital Library

[12]

D. LeBlanc. 2004. Integer handling with the C++ SafeInt class. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01142004.asp.

[13]

D. LeBlanc. 2011. Author's blog: Integer handling with the C++ SafeInt class. http://safeint.codeplex.com/.

[14]

N. G. Leveson and C. S. Turner. 1993. An investigation of the Therac-25 accidents. Computer 26, 7, 18--41.

Digital Library

[15]

MITRE Corporation. 2002. CVE-2002-0639: Integer overflow in sshd in OpenSSH. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0639.

[16]

MITRE Corporation. 2010. CVE-2010-2753: Integer overflow in Mozilla Firefox, Thunderbird and SeaMonkey. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2753.

[17]

MITRE Corporation. 2013. Common vulnerability and exposures. http://cve.mitre.org/.

[18]

D. Molnar, X. C. Li, and D. A. Wagner. 2009. Dynamic test generation to find integer bugs in x86 binary Linux programs. In Proceedings of the 18th USENIX Security Symposium. 67--82.

Digital Library

[19]

N. Nethercote and J. Seward. 2003. Valgrind: A program supervision framework. In Proceedings of the 3rd Workshop on Runtime Verification.

[20]

T. Wang, T. Wei, Z. Lin, and W. Zou. 2009. IntScope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. In Proceedings of the 16th Network and Distributed System Security Symp.

[21]

Wikipedia. 2011a. Arbitrary-precision arithmetic. http://en.wikipedia.org/wiki/Arbitrary-precision_arithmetic. (Last accessed Sept. 2011).

[22]

Wikipedia. 2011b. Pac-Man. http://en.wikipedia.org/w/index.php?title=Pac-Man&oldid==450692749#Split-screen. (Last accessed Sept. 2011).

Cited By

Wu JShi QLuo BLiao XXu JKirda ELie D(2024)Poster: Protecting Source Code Privacy When Hunting BugsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691407(5030-5032)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3691407
Tan JRigger MChristakis MPradel M(2024)Inconsistencies in TeX-Produced DocumentsProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680370(1415-1427)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680370
Yin XFeng YShi QLiu ZLiu HXu BChristakis MPradel M(2024)FRIES: Fuzzing Rust Library Interactions via Efficient Ecosystem-Guided Target GenerationProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680348(1137-1148)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680348
Show More Cited By

Index Terms

Understanding Integer Overflow in C/C++
1. General and reference
  1. Cross-computing tools and techniques
    1. Validation
  2. Document types
    1. Computing standards, RFCs and guidelines
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Empirical software validation
      2. Process validation
  2. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

Understanding integer overflow in C/C++
ICSE '12: Proceedings of the 34th International Conference on Software Engineering

Integer overflow bugs in C and C++ programs are difficult to track down and may lead to fatal errors or exploitable vulnerabilities. Although a number of tools for finding these bugs exist, the situation is complicated because not all overflows are ...
Integer Overflow Detection with Delayed Runtime Test
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Detecting integer overflow vulnerabilities is critical for software security. Many techniques have been proposed to dynamically detect integer overflow vulnerabilities by instrumenting integer overflow tests into target programs. Their major drawback is ...
Efficient Dynamic Tracking Technique for Detecting Integer-Overflow-to-Buffer-Overflow Vulnerability
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerabilities can be exploited by attackers to cause severe damages to computer systems. In this paper, we present the design and implementation of IntTracker, an efficient dynamic tracking technique for ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Software Engineering and Methodology

ACM Transactions on Software Engineering and Methodology Volume 25, Issue 1

December 2015

339 pages

ISSN:1049-331X

EISSN:1557-7392

DOI:10.1145/2852270

Editor:
David S. Rosenblum
National University of Singapore, Singapore

Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 December 2015

Accepted: 01 March 2015

Received: 01 February 2015

Published in TOSEM Volume 25, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

DARPA's Computer Science Study Group
Air Force Research Laboratory (AFRL)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

45
Total Citations
View Citations
1,609
Total Downloads

Downloads (Last 12 months)155
Downloads (Last 6 weeks)19

Reflects downloads up to 30 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wu JShi QLuo BLiao XXu JKirda ELie D(2024)Poster: Protecting Source Code Privacy When Hunting BugsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691407(5030-5032)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3691407
Tan JRigger MChristakis MPradel M(2024)Inconsistencies in TeX-Produced DocumentsProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680370(1415-1427)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680370
Yin XFeng YShi QLiu ZLiu HXu BChristakis MPradel M(2024)FRIES: Fuzzing Rust Library Interactions via Efficient Ecosystem-Guided Target GenerationProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680348(1137-1148)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680348
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Zheng WHua B(2024)WASMDYPA: Effectively Detecting WebAssembly Bugs via Dynamic Program Analysis2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00037(296-307)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00037
Wajid DIqbal HJamil MAnwar A(2023)Survey of Linux Based Free Software Tools for Remote Learning of Electrical and Computer Engineering in a Post COVID-19 EraSSRN Electronic Journal10.2139/ssrn.4626716Online publication date: 2023
https://doi.org/10.2139/ssrn.4626716
Kyriakou KTselikas N(2022)Complementing JavaScript in High-Performance Node.js and Web Applications with Rust and WebAssemblyElectronics10.3390/electronics1119321711:19(3217)Online publication date: 7-Oct-2022
https://doi.org/10.3390/electronics11193217
Shi XXie XLi YZhang YChen SLi XRoychoudhury ACadar CKim M(2022)Large-scale analysis of non-termination bugs in real-world OSS projectsProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549129(256-268)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549129
Zhang HWang SLi HChen THassan A(2022)A Study of C/C++ Code Weaknesses on Stack OverflowIEEE Transactions on Software Engineering10.1109/TSE.2021.305898548:7(2359-2375)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TSE.2021.3058985
Bojanova IGalhardo CMoshtari S(2022)Data Type Bugs Taxonomy: Integer Overflow, Juggling, and Pointer Arithmetics in Spotlight2022 IEEE 29th Annual Software Technology Conference (STC)10.1109/STC55697.2022.00035(192-205)Online publication date: Oct-2022
https://doi.org/10.1109/STC55697.2022.00035
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents